On April 28, 2017, a proposed settlement agreement was submitted for court approval to conclude a shareholder derivative lawsuit against Home Depot Inc. and certain of its current and former directors and officers relating to a 2014 breach of Home Depot’s payment data systems and theft of 56 million customers’ personal financial data (In re The Home Depot Inc. Shareholder Derivative Litigation, N.D. Ga., No. 15-cv-02999).

In the lawsuit, the plaintiff shareholders alleged, among other things, that the defendant directors and officers breached their duty of loyalty to Home Depot by not establishing internal controls sufficient to oversee the risks Home Depot faced in the event of a data breach and by disbanding a Board of Directors committee that was supposed to have oversight of those risks. The defendants denied all claims and allegations.

In November 2016, the lawsuit was dismissed on the basis that the plaintiffs had failed to make a required pre-lawsuit demand that Home Depot sue the directors and officers. The plaintiffs appealed that decision.

The proposed Stipulation of Settlement and Release Agreement provides that, as part of the settlement of the lawsuit and possible additional claims arising from an ongoing investigation of the 2014 data breach, Home Depot will implement specified corporate governance reforms with respect to its U.S. stores and pay up to $1.125 million in legal fees to the plaintiffs’ lawyers. The corporate governance reforms are as follows:

(1)   Home Depot will document the duties and responsibilities of its chief information security officer.

(2)   Home Depot will conduct periodic tabletop cyber exercises to prepare to respond to cyber incidents.

(3)   Home Depot will monitor and periodically assess key indicators of compromise on its computer network endpoints.

(4)   Home Depot will engage a dark web search service to search for Home Depot information.

(5)   Home Depot will maintain an executive-level data security and privacy governance committee with documented duties and responsibilities focused on data security.

(6)   Home Depot’s management will periodically report to the board of directors regarding Home Depot’s information technology budget and the percentage spent on cybersecurity.

(7)   Home Depot will maintain an incident response team and an incident response plan, and periodically re-evaluate the plan.

(8)   Home Depot will maintain membership in at least one information sharing and analysis center or organization.

(9)   Home Depot’s board of directors and audit committee will be authorized to retain information technology, data and security experts and consultants as they deem necessary.

The required corporate governance reforms, which provide a checklist of some cybersecurity best practices, are consistent with cyber risk management guidance issued by Canadian regulators and self-regulatory organizations (see Regulatory Enforcement Action Emphasizes Need for Information Security Governance Framework, Cyber Risk Management Guidance for Corporate Directors, Cybersecurity Guidance from Investment Industry Regulatory Organization of Canada, Guidance for Corporate Directors).